Using IOS 15.0 code, user is able to successfully use auth-proxy with TACACS+ and ACS 4.x. However as soon as the user upgrade his IOS to 15.1 and beyond, auth-proxy fails.
Conditions / Environment
NAS device running IOS 15.1+
auth-proxy using TACACS+
Cause / Problem Description
If you look at the 15.1 or 15.2 tacacs debugs you'll see the following:
265410: Jan 26 14:13:55 EST: TPLUS: processing authorization request id 59 265411: Jan 26 14:13:55 EST: TPLUS: Sending AV service=auth-proxy 265412: Jan 26 14:13:55 EST: TPLUS: Sending AV protocol=ip
However if you look at how the service is configured in the TACACS+ section of the interface configuration on the ACS you'll see that the protocol isn't specified:
It looks like the older 15.0 code didn't enforce the protocol for auth-proxy as strictly, whereas 15.1 and above does and thus the users faile auth-proxy.
The fix for this is actually quite simple. You can just add ip under the protocol tab in the above section as shown below:
However the twist is that ACS doesn't just update the existing service, instead it creates a brand new service called "auth-proxy ip"(the older one was called just "auth-proxy"). So it fix this you need to go into each group which used to have "auth-proxy" enabled and enable "auth-proxy ip" for all of them, and copy over all the customer attributes so that it works exactly the same as before:
It's important to keep in mind, however, that until all NAS devices have been upgraded to 15.1+ code, it would be unwise to remove the old service.
Hi Experts,We're running ISE 2.6 with Patch 8 installed. AnyConnect is 4.8 and the Compliance Module is 4.3.X. I've been asked to configure a New AV Posture policy Definition check for Windows Defender. Name: AV_Def_5daysCompliance Module: 4.X ...
Hi We have about 1000 sites connected to a hub siteThe setup is DMVPN. And we are using Get VPN upon thisWe are using Cisco 898 with 2 links [local loop and 3G] for each branch We have a problem that suddenly most of our branches are facing a ne...
Hi AllIs it possible with Cisco AnyConnect secure mobility client to allow for multiple concurrent connections in macOS? Actually, I need to connect to multiple VPN hosts at the same time as I need to connect to servers hosted in a different location...
Hi,I am trying to connect Asa 5510-x firewall with our existing ospf network. OSPF neighborship is coming Full, but asa not showing any ospf routes in routing table. can you please assist what can be the issue?Regards,Faisal